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WTF is it? 


OPSEC in a nutshell 


® Keep your mouth shut 
@ Guard secrets 
@ Need to know 


@ Never let anyone get into position to 
blackmail you 
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the website of Fine Gael, an Irish political party, was hacked 
and Fine Gael’s website was defaced with an Anonymous-related 
Symbol and, among other things, the words “<owned (hacked] by 
Raepsauce and Palladium>.’” I have spoken with another agent who 
has reviewed the contents, obtained pursuant to a search Warrant 
obtained in the Southern District of New York, of a Facebook 
account held by a co-conspirator not named as a defendant herein. 
Based on my conversation with that agent, I have learned that on 


or about January 9, 2011 (around the time the Fine Gael website 
was defaced), the user of the Facebook account received an 
electronic message from another Facebook user with the name 
“Donncha Carroll” [‘Carroll” ig an English equivalent of the 
Gaelic “O’Cearrbhail”]. The message from “Donncha Carroll” 
contained computer code which produces the same defacement as 
appeared on the Fine Gael website when it was defaced. 
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engaged in certain forms of Internet chat, such as some of those 
detailed in this Complaint, may seek to cloak their true 
identities, including their true IP addresses, when engaged in 
online chat sessions.** Individual users may do this by using a 
“cloak key” that is unique to each computer network that hosts 
chat forum(s) in which the user participates. A cloak key 
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IP address to generate a new, “cloaked” loginID. Accordingly, if 
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the same, regardless of whatever other aliases the user employs 
in chats. Based on the FBI’s analysis of the chat sessions 
detailed above, it appears that the online nicknames palladium, 
polonium, and anonsacco shared one or more times the same cloaked 
loginID. Accordingly, it appears that these nicknames had been 
accessed from the same IP address and thus the same computer. In 
addition, on several other occasions since in or about June 2011 
up to the present, the nicknames palladium and polonium shared 
loginIDs which had “Donncha” -- the defendant’s first name -- 

the associated username. 


engaged in certain forms of Internet chat, such as some of those 
detailed in this Complaint, may seek to cloak their true 
identities, including their true IP addresses, when engaged in 
online chat sessions.** Individual users may do this by using a 
“cloak key” that is unique to each computer network that hosts 
chat forum(s) in which the user participates. A cloak key 
employs an algorithm which uses, among other things, the user’s 
IP address to generate a new, “cloaked” loginID. Accordingly, if 
a user with the same IP address logs into the same chat hosting 
computer network, the user’s cloaked loginID should tend to be 
the same, regardless of whatever other aliases the user employs 
in chats. Based on the FBI’s analysis of the chat sessions 
detailed above, it appears that t! online nicknan 
polonium; and anonsacco: shared one or e times the same <¢ enked 
1ID. Accordingly, it appears chat these nicknames had been 
accessed from the same IP address and thus the same computer. [In 
addition, on several other occasions since in or about June 2011 
up to the present, the nicknames palladium and polonium shared 
loginIDs which had “Donncha” -- the defendant’s first name -- 
the associated username. 


engaged in certain forms of Internet chat, such as some of those 
detailed in this Complaint, may seek to cloak their true 
identities, including their true IP addresses, when engaged in 
online chat sessions.** Individual users may do this by using a 
“cloak key” that is unique to each computer network that hosts 
chat forum(s) in which the user participates. A cloak key 
employs an algorithm which uses, among other things, the user’s 
IP address to generate a new, “cloaked” loginID. Accordingly, if 
a user with the same IP address logs into the same chat hosting 
computer network, the user’s cloaked loginID should tend to be 
the same, regardless of whatever other aliases the user employs 
in chats. Based on the FBI’s analysis of the chat sessions 
detailed above, it appears that t! online nicknan Lllad: . 
mp and dahons o- sharec n Ir more times the same cloaked 
1ID. Accordingly, it appears tl thi icknames had been 
2ssed fr th IP address ad thus the same computer. [In 
addition, on several other occasions since in or about June 2011 
up to the present, the nicknames palladium and polonium shared 
loginIDs which had “Donncha” -- the defendant’s first name -- 
the associated username. 


engaged in certain forms of Internet chat, such as some of those 
detailed in this Complaint, may seek to cloak their true 
identities, including their true IP addresses, when engaged in 
online chat sessions.** Individual users may do this by using a 
“cloak key” that is unique to each computer network that hosts 
chat forum(s) in which the user participates. A cloak key 
employs an algorithm which uses, among other things, the user’s 
IP address to generate a new, “cloaked” loginID. Accordingly, if 
a user with the same IP address logs into the same chat hosting 
computer network, the user’s cloaked loginID should tend to be 
the same, regardless of whatever other aliases the user employs 
in chats. Based on the FBI’s analysis of the chat sessions 


detailed above, it appears that t! online nicknames padblad: ; 
mp and dahons co — 1 on yr more times the same cloaked 
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addition, on several other occasions since in or about June 2011 
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up to the present, the lames palkladiun nium sha 
loginII 1ich had “Denncha”™ -- the andemmnma s eee name 
the associated username. 


responded, 10 way. what makes 
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ich polonium replied, “I was s n them duri 
terrogation.” The CW then asked, “like did 


channels?”, to which polonium responded, 


#babytech at least.” Later in the conversation, 1e CW as) 


this?” to which polonium responded, “this is palladium 


responded, “no way. what makes |, 
h replied, “I was s n them durin 
n.” The CW then asked, “like 


ls?”, to which polonium re 


least.” Later in the conversation 


,“” 


to which polonium responded, “this 


responded, “no way. 
replied, “I was 
ne The CW then asked, 
s?”, to which polonium respond 


least.” Later in the conversat 


” to which) E responded, 


Violation 
Don’t contaminate 


E's In a chat on or about July 31, 2011, at approximately 
3:30 a.m., an individual using the alias “POW,” later identified as 
the defendant, stated that “dumpster diving is all good i’ma freegan 
goddess.” I know based on my investigation that “freegans” are 
individuals who practice eating and reclaiming food that has been 
discarded as part of an anti-consumerist movement. According to 


Chicago law enforcement authorities whom I have spoken to who have 
conducted surveillance of JEREMY HAMMOND, the defendant, in the course 
of their investigations of HAMMOND since 2005, HAMMOND is a “freegan.” 
In conducting surveillance, agents have seen HAMMOND going into 
dumpsters to get food. 


i In a chat on or about July 31, 2011, at approximately 
3:30 a.m., an individual using the alias “POW,” later identified as 
the defendant, stated that “dumpster:diving is all good i’m a freégan 
goddess’” I know based on my investigation that “freegans” are 
individuals who practice eating and reclaiming food that has been 
discarded as part of an anti-consumerist movement. According to 


Chicago law enforcement authorities whom I have spoken to who have 
conducted surveillance of JEREMY HAMMOND, the defendant, in the course 
of their investigations of HAMMOND since 2005, HAMMOND is a “freegan.” 
In conducting surveillance, agents have seen HAMMOND going into 
dumpsters to get food. 


In a chat on or about July 31, 2011, at approximately 
3:30 a.m., an individual using the alias “POW,” later identified as 
the defendant, stated that “dumpster:diving is all good i’m a freégan 
goeddess’” I know based on my investigation that “freegans” are 
individuals who practice eating and reclaiming food that has been 
discarded as part of an anti-consumerist movement. According to 


Chicago law enforcement authorities whom I have spoken to who have 
conducted surveillance of JEREMY HAMMOND, the defendant, in the course 
of their investigations of HAMMOND since 2005, HAMMONDwds a “freegan sy” 
In conducting surveillance, agents have seen HAMMOND going into 
dumpsters to get food. 


Violation 
Keep personal life and 
hacking separate 


Violation 
Keep personal life and 


FREEDOM. 
Pctmtsenigs Sepa rate 


(iv) The FBI in Chicago obtained information in the 
course of a separate investigation that HAMMOND may have been involved 
in hacks into the website of a white supremacist organization. 
According to that investigation, various IP addresses used to access 
the reported hacked accounts were connected to HAMMOND. 


appears that in or about January 2012 sre were a total of 146 
instances in which an individual using the \ service Perfect 
Privacy obtained unauthorized access t he Compromised Gmail 
Accounts. In addition, during this same there was at least 


one instance of unauthorized access to one of the Compromised 
Gmail Accounts by the Palladium I 
of unauthorized access by IP addresses allocated to the same 


P Address, and several instances 


Internet service provider in Ireland as the Palladium IP 
Address.* 


(iv) The FBI in Chicago obtained information in the 
course of a separate investigation that HAMMOND may have been involved 
in hacks into the website of a white supremacist organization. 
According to that investigation, variOuselP addresses used to access 
the reported hacked accounts were connected to HAMMOND. 


appears that in or about January 2012 > were a total of 146 
instances in which an individual usin > VPN service Perfect 
Privacy obtained unauthorized access t he Compromised Gmail 
Accounts. In addition, during this same time, there was at least 


one instance of unauthorized access to one of the Compromised 
Gmail Accounts by the Palladium IP Address, and several instances 
of unauthorized access by IP addresses allocated to the same 


Internet service provider in Ireland as the Palladium IP 
Address.** 


(iv) The FBI in Chicago obtained information in the 
course of a separate investigation that HAMMOND may have been involved 
in hacks into the website of a white supremacist organization. 
According to that investigation, variOuselP addresses used to access 
the reported hacked accounts were connected to HAMMOND. 


appears that in or about January 2012 there were a total of 146 


instances in which an individual sin > VPN service Perfect 


Privacy obtained unauthorized access t he Compromised Gmail 
Accounts. In addition, during this same time, there was at least 
one instance of wmauthorazed=access to one of the compromised 
Gmail Accounts’ by «the Palladium=2fPsAddress, and several instances 
of unauthorized access by IP addresses allocated to the same 


Internet” Service provider in Ireland as the Palladium IP 
Address.** 


Violation 
Never operate from 
your home 


37. During the course of the physical surveillance, FBI agents 
detected public signals broadcast from a wireless router (the 
“ROUTER” ) which, based on measurements of signal strength and the use 
of directional antennas, they determined was located inside and 
towards the rear of the CHICAGO RESIDENCE. Based on the 
investigation, including information provided by JEREMY HAMMOND, 


devices attached to computer networks.) Through a MAC address, it is 
possible to identify the manufacturer of a device such as a computer. 
One of the MAC addresses at the CHICAGO RESIDENCE was identified as 
belonging to an Apple computer (the “Apple MAC Address”). The 
defendant, using the alias “sup g,” and CW-1 have discussed the fact 
that the defendant used a “macbook,” an Apple laptop. When the Apple 
MAC Address was initially identified as active at the CHICAGO 
RESIDENCE, there were no indications that any other devices were 
connecting to the ROUTER; moreover, CW-1 reported to me that the 
defendant was online at that time. 


37. During the course of the physical surveillance, FBI agents 
detected public signals broadcast from a wireless router (the 
“ROUTER” ) which, based on measurements of signal strength and the use 
of directional antennas, they determined was located inside and 
towards the rear of the CHICAGO RESIDENCE. Based on the 
investigation, including information provided by JEREMY HAMMOND, 


devices attached to computer networks.) Through a MAC address, it is 
possible to identify the manufacturer of a device such as a computer. 
One of the MAC addresses at the CHICAGO RESIDENCE was identified as 
belonging to an Apple computer (the “Apple MAC Address”). The 
defendant, using the alias “sup g,” and CW-1 have discussed the fact 
that the defendant used a “macbook,” an Apple laptop. When the Apple 
MAC Address was initially identified as active at the CHICAGO 
RESIDENCE, there were no indications that any other devices were 
connecting to the ROUTER; moreover, CW-1 reported to me that the 
defendant was online at that time. 


37. During the course of the physical surveillance, FBI agents 
detected public signals broadcast from a wireless router (the 
“ROUTER” ) which, based on measurements of signal strength and the use 
of directional antennas, they determined was located inside and 
towards the rear of the CHICAGO RESIDENCE. Based on the 
investigation, including information provided by JEREMY HAMMOND, 


devices attached to computer networks.) Through a MAC address, it is 
possible to identify the manufacturer of a device such as a computer. 
One of the MAC addresses at the CHICAGO RESIDENCE was identified as 
belonging to an Apple computer (the “Apple MAC Address”). The 
defendant, using the alias “sup g,” and CW-1 have discussed the fact 
that the defendant used a “macbook,” an Apple laptop. When the Apple 
MAC Address was initially identified as active at the CHICAGO 
RESIDENCE, there were no indications that any other devices were 
connecting to the ROUTER; moreover, CW-1 reported to me that the 
defendant was online at that time. 


37. During the course of the physical surveillance, FBI agents 
detected public signals broadcast from a wireless router (the 
“ROUTER” ) which, based on measurements of signal strength and the use 
of directional antennas, they determined was located inside and 
towards the rear of the CHICAGO RESIDENCE. Based on the 
investigation, including information provided by JEREMY HAMMOND, 


devices attached to computer networks.) Through a MAC address, it is 
possible to identify the manufacturer of a device such as a computer. 
One of the MAC addresses at the CHICAGO RESIDENCE was identified as 
belonging to an Apple computer (the “Apple MAC Address”). The 
defendant, using the alias “sup _g,” and CW-1 have discussed the fact 
that the defendant used a “macbook,” an Apple laptop. When the Apple 
MAC Address was initially identified as active at the CHICAGO 
RESIDENCE, there were no indications that any other devices were 
connecting to the ROUTER; moreover, CW-1 reported to me that the 
defendant was online at that time. 


Violation 
Don't reveal 
operational details 


b. An FBI TOR network expert analyzed the data from the 
Pen/Trap and was able to determine that a significant portion of the 
traffic from the CHICAGO RESIDENCE to the Internet was TOR-related 
traffic. The Apple MAC Address was the only MAC address at the CHICAGO 
RESIDENCE that was connecting to known TOR network IP addresses. The 


defendant, using the alias “yohoho,” has discussed with CW-1 that he 
used the TOR network. For example in a chat over a jabber service on 
or about February 2, 2012, at approximately 5:22 a.m., “yohoho” said 
that he could not play youtube videos because “it won’t play over tor.” 
On February 6, 2012, at approximately 4:31 p.m., “yohoho” complained 
that “tor’s always up and down.” 


b. An FBI TOR network expert analyzed the data from the 
Pen/Trap and was able to determine that a significant portion of the 
traffic from the CHICAGO RESIDENCE to the Internet was TOR-related 
traffic. The Apple MAC Address was the only MAC address at the CHICAGO 
RESIDENCE that was connecting to known TOR network IP addresses. The 


defendant, using the alias “yohoho,” has discussed with CW-1 that he 
used the TOR network. For example ina chat over a jabber service on 
or about February 2, 2012, at approximately 5:22 a.m., “yohoho” said 
that he could not play youtube videos because “it won’t play over tor.” 
On February 6, 2012, at approximately 4:31 p.m., “yohoho” complained 
that “tor’s always up and down.” 


b. An FBI TOR network expert analyzed the data from the 
Pen/Trap and was able to determine that a significant portion of the 
traffic from the CHICAGO RESIDENCE to the Internet was TOR-related 
traffic. The Apple MAC Address was the only MAC address at the CHICAGO 
RESIDENCE that was connecting to known TOR network IP addresses. The 


defendant, using the alias “yohoho,” has discussed with CW-1 that he 
used the TOR network. For example ina chat over a jabber service on 
or about February 2, 2012, at approximately 5:22 a.m., “yohoho” said 
that he could not play youtube videos because “it won’t play over tor.” 
On February 6, 2012, at approximately 4:31 p.m., “yohoho” complained 
that “tor’s always up and down.” 


know that on or about August 4, 2011, the CW and an individual 
using the online nickname “palladium” exchanged private chat 
messages over the Internet. During the chat, the CW and 
palladium discussed the theft of palladium’s online identity by 
another individual. Palladium inquired what he could do to prove 
his identity to the CW and stated, “I can post some info I have 
from really old opps,” meaning prior computer hacking activity. 
Palladium continued, “I can explain something about the sun” 
“I can give you some info I still have from the first fox LFI 
[hack].”* Later in the chat, the CW asked if a certain IP 
address” (the “Palladium IP Address”) was used by palladium, 
which palladium responded that the “ip [addr looks 


and 


CO 
like a 
wifi I connect from.” ie CW also asked whether palladium uses 


“Perfect ey eure. vi private neti service located 


in Germany, to whi ladium OME 8 4 I use that vpn.” 


know that on or about August 4, 2011, the CW and an individual 
using the online nickname “palladium” exchanged private chat 
messages over the Internet. During the chat, the CW and 
palladium discussed the theft of palladium’s online identity by 
another individual. Palladium inquired what he could do to prove 
his identity to the CW and stated, “I can post some info I have 
from really old opps,” meaning prior computer hacking activity. 
Palladium continued, “I can explain something about the sun” and 


“I can give you some info I still have from the first fox LFI 
[hack].”* Later in the chat, the CW asked if a certain IP 
address’ (the “Palladium IP Address”) was used by palladium, to 


which palladium responded that the “®p==faddaz : (Ss tike=a 
party : } } her palladium uses 
°] service located 
I use that vpn.” 


know that on or about August 4, 2011, the CW and an individual 
using the online nickname “palladium” exchanged private chat 
messages over the Internet. During the chat, the CW and 
palladium discussed the theft of palladium’s online identity by 
another individual. Palladium inquired what he could do to pro 
his identity to the CW and stated, “I can post some info I have 
from really old opps,” meaning prior computer hacking activity. 
Palladium continued, “I can explain something about the sun” and 


“I can give you some info I still have from the first fox LFI 
[hack] .”" Later in the chat, the CW asked if a certain IP 
address” (the “Palladium IP Address”) was used by palladium, to 


which palladium responded that the “#p==fad Fike=a 

i : The CW also asked whether palladium uses 
<paPreee Privacy,” a virtual private network [*] service located 
in Germany, to which pag im e thi 


According to the records obtained from Google, and based on 
information provided by the Garda and the 


the Garda Officers, it 
appears that in or about January 2012 there were a total of 146 


instances in which an individual using the VPN service Perfect 
Privacy obtained unauthorized access to the Compromised Gmail 
Accounts. In addition, 


during this same time, there was at least 


According to the records obtained from Google, and based on 
information provided by the Garda and the Garda Officers, i 
appears that in or about January 2012 there were a total of 
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Violation 
Don't reveal 
operational details 


Fine Gael website O 

O’' CEARRBHAIL’S arrest, BI had provi C o the G 
chat logs obtained 
forums called “#sunnydays” 


arda certain 
© 


in two online chat 


; Garda officers then 
showed certain of these chat logs to O’CEARRBHAIL during his 
st-arrest interview, : which 0’¢ R L admitted 


participating in the Fi G scribed above. 


know that on o about November 12, 2011, the CW and an individual 
using the onli . exchanged private chat 
; During the chat, polonium state 
amount of log files” from 
and that [I was v&[7]”, to 


was S&S 
interrogation. The CW then askec 
from channels?”, to which polonium re 


7“? 7 } 


#babytech at least.” Later in the conversat 


is this?” to which polonium responded, 


Fine Gael website in 
O’ CEARRBHAIL’S arrest, 


the Garda certain 
chat logs obtained 


by the Cw < communications in two online chat 
forums called “#sunnyda . 3 ; 


ys # be I Garda officers then 
showed certain of these we ‘logs to ‘oO CEARRBHAIL during his 
post-arrest interview, in which O’CEARRBHAIL admitted 
participating in the Fine Gael hack described above. 


CW and an individual 
changed private chat 
During the chat, polonium stated “I 
know for a fact the FBI has a large amount of log files” from a 
server associated with Anonymous, and that “I was v&[’]”, to 


using the or 
messages < 


the 


which polonium replied, “I was shown them Panta my 
interrogation.” The CW then asked, “like di 


m channels?’ -O which polonium 
byt at least.” Later in the 


a." 


to which poloniun 


know that on or about January 93 012, the CW and anonsacco 
exchanged Internet chat messages . During the chat, anonsacco 
stated, “I just got into the iCloud for the head of a national 
police cybercrime unit. I have all his contacts and can track 
his location 24/7.”*° Anonsacco then referenced “sunnydays”, 


after which the CW inquired, “so who were you? if you know about 
!sunnydays,” and “the channel name was leaked to feds. so 


clearly im interested in who you were,” to which anonsacco 
responded, “I understand it was leaked. That caused me a lot of 
hassle. Could you understand that I don’t want to align myself 
with a compromised screenname?” The CW then asked, “hassle how? 
you got raided? or people doxed[**] you?” Later, the CW asked, 
“so if you were raided, did they ask you about me?”, to which 
anonsacco responded, “No. Not you personally.” 


know that on or about January 9 2012, the CW and anonsacco 
exchanged Internet chat messag . During the chat, anonsacco 
stated, “I just got into the i ud for the head of a national 
police cybercrime unit. I have his contacts and can track 
his location 24/7.”*° Anonsacco then referenced “sunnydays”, 
after which the CW inquired, “souwho.weremyou?sitihyousknowsabout 
'sunnydays,;,” and “the channel. name was leaked to: feds so 


Cléariyeam-anterested Gnewhoryouswere,” to which anonsacco 
responded, “I understand it was leaked. That caused me a lot of 
hassle. Could you understand that I don’t want to align myself 
With ~a»compromiseag screenname?” The CW then asked, “hassle how? 
you got raided? or people doxed[**] you?” Later, the CW asked, 
“so if you were raided, did they ask you about me?”, to which 
anonsacco responded, “NOiee’et) you personally.” 


Violation 
Be paranoid 


Virus (10:30:18 PM): don't start accusing me of 
[being an informant] - especially after you 
disappeared and came back offering to pay me for 
shit - that's fed tactics 


Virus (10:30:18 PM): don't start accusing me of 
[being an informant] - especially after you 
disappeared and came back offering to pay me for 
shit - that's fed tactics 

Virus (10:30:31 PM): and then your buddy, topiary, 
who lives in the most random place 


Virus (10:30:18 PM): don't start accusing me of 
[being an informant] - especially after you 
disappeared and came back offering to pay me for 
shit - that's fed tactics 

Virus (10:30:31 PM): and then your buddy, topiary, 
who lives in the most random place 

Virus (10:30:36 PM): who's docs weren't even public 


Virus (10:30:18 PM): don't start accusing me of 
[being an informant] - especially after you 
disappeared and came back offering to pay me for 
shit - that's fed tactics 

Virus (10:30:31 PM): and then your buddy, topiary, 
who lives in the most random place 

Virus (10:30:36 PM): who's docs weren't even public 
Virus (10:30:38 PM): gets owned 


Virus (10:30:18 PM): don't start accusing me of 
[being an informant] - especially after you 
disappeared and came back offering to pay me for 
shit - that's fed tactics 

Virus (10:30:31 PM): and then your buddy, topiary, 
who lives in the most random place 

Virus (10:30:36 PM): who's docs weren't even public 
Virus (10:30:38 PM): gets owned 

Sabu (10:32:29 PM): offering to pay you for shit? 


Virus (10:30:18 PM): don't start accusing me of 
[being an informant] - especially after you 
disappeared and came back offering to pay me for 
shit - that's fed tactics 

Virus (10:30:31 PM): and then your buddy, topiary, 
who lives in the most random place 

Virus (10:30:36 PM): who's docs weren't even public 
Virus (10:30:38 PM): gets owned 

Sabu (10:32:29 PM): offering to pay you for shit? 
Virus (10:32:55 PM): yeah, you offered me money for 
"dox" 


Virus (10:30:18 PM): don't start accusing me of 
[being an informant] - especially after you 
disappeared and came back offering to pay me for 
shit - that's fed tactics 

Virus (10:30:31 PM): and then your buddy, topiary, 
who lives in the most random place 

Virus (10:30:36 PM): who's docs weren't even public 
Virus (10:30:38 PM): gets owned 

Sabu (10:32:29 PM): offering to pay you for shit? 
Virus (10:32:55 PM): yeah, you offered me money for 
"dox" 

Virus (10:33:39 PM): only informants offer up cash 
for shit -- you gave yourself up with that one 


HAPPY ENDING 
Virus is still free 


by CW-1 - were members of Anonymous, LulzSec, and/or AntiSec.® Based 
on my experience investigating computer crimes, I know that 
individuals involved in computer-related criminal activity often use 
multiple accounts and usernames, including IRC and Jabber usernames, 
to mask their identities. Also based on that experience, I know that 
it is possible, based on how online chats are logged by certain IM 
applications such as IRC and Jabber, as well as how individuals 
communicate with each other over the Internet, to associate an 
individual with two or more online aliases. For example, if during 
the course of an IM chat there is a question about the identity of an 
individual, others in the chat will often seek to verify the 
individual’s identity by, among other things, asking questions about 
previous online interactions. In addition, if an IM user knows an 
individual by multiple aliases, the user may refer to that individual 
using different aliases during the same chat. At times, chat logs, 
including IRC and Jabber chat logs, will also identify that a user who 
previously logged in with a different alias is now logging in witha 
new name. Through these various methods, in the course of this 
investigation, I have identified a number of different online aliases 
that the defendant used to communicate with CW-1 and others, including 
the following: “anarchaos,”’ “yohoho,”*® “sup g,”* “burn,”*® 


by CW-1 - were members of Anonymous, LulzSec, and/or AntiSec.° 
on my experience investigating computer crimes, I know that 
individuals involved in computer-related criminal activity often use 
multiple accounts and usernames, including IRC and Jabber usernames, 
to mask their identities. Also based on that experience, I know that 
it is possible, based on how online chats are logged by certain IM 
applications such as IRC and Jabber, as well as how individuals 
communicate with each other over the Internet, to associate an 
individual, with two or more online aliases. For example, if during 
the course of an IM chat there is a question about the identity of an 
individual, others in the chat will often seek to verify the 
individual's identity by, among other things, renee Se about 
previous ie interactions. Iditic u nows an 
3 jual by multiples es, t] us may refer to that individual 
different Li uri sh same chat. At times, chat logs, 
including IRC and Jabber chat logs, will also identify that a user who 
previously logged in with a different alias is now logging in witha 
new name. Through these various methods, in the course of this 
investigation, I have identified a number of different online aliases 
that the defendant used to communicate with CW-1 and others, including 
the following: “anarchaos,”’ “yohoho,”® “sup g,”* “burn,”*° 


Violation 
Never contaminate 


through the morning of March 5, 2012: (i) the times at which physical 
surveillance in Chicago indicated that HAMMOND had entered, was 

inside, or had left, the CHICAGO RESIDENCE; (ii) the data from the 
Pen/Trap indicating Internet activity by the Apple MAC Address and TOR 
network activity from the CHICAGO RESIDENCE; and (iii) information 
obtained from CW-1, in Manhattan, about online communications between 
CW-1 and the defendant. Based on this analysis, as set forth below, 
Internet activity by the Apple MAC Address and TOR network activity 


from the CHICAGO RESIDENCE occurred during the time periods that 
HAMMOND is present inside the CHICAGO RESIDENCE, as confirmed by 
physical surveillance, and ceased, or at least continued but 
diminished, after HAMMOND was seen leaving the CHICAGO RESIDENCE. 
Similarly, information obtained from CW-1 about online activity by the 
defendant corresponded to the time periods that HAMMOND was confirmed 
to be inside the CHICAGO RESIDENCE as set forth below. 


through the morning of March 5, 2012: (i) the times at which physical 
surveillance in Chicago indicated that HAMMOND had entered, was 

inside, or had left, the CHICAGO RESIDENCE; (ii) the data from the 
Pen/Trap indicating Internet activity by the Apple MAC Address and TOR 
network activity from the CHICAGO RESIDENCE; and (iii) information 
obtained from CW-1, in Manhattan, about online communications between 
CW-1 and the defendant. Based on this analysis, as set forth below, 
Internet activity by the Apple MAC Address and TOR network activity 


from the CHICAGO RESIDENCE occurred during the time periods that 
HAMMONDeisepreseént inside the CHICAGO=RESIDENCE, as confirmed by 
physical surveillance ,“and@eeased; or at least continued but 
diminished, after HAMMOND»was* seen leaving the CHICAGO RESIDENCE. 
Similarly, information obtained from CW-1 about online activity by the 
defendant corresponded to the time periods that HAMMOND was confirmed 
tonbemansidethe -CHICAGOPRESIDENCE. as set forth below. 


Bonus: wOrmer 


My name is Higinio Ochoa and until recently I have been also known as 


higochoa and w@rmer. I have spent the last few months fighting along 
Side some of the best in the world. 


On march 20th 2012 @ 10:30 am around 8 agents from the FBI stormed my 
apartment and put me under arrest. Shortly after I was taken to the 
Texas City field office where I turned over all evidence I had 


collected on myself,over the course of the last few months. I then 
Spent the subsequent hours going over w@rmers timeline and confirming 
or denying my participation in various attacks. After FBI Agent Scott 


or denying my participation in various attacks. After FBI Agent Scott 
Jenson was done explaining how unimpressed he was with both my 
expressed skills, and information I provided the systems administrator 


for the texas DPS. He then proceeded to interview me for the exact 
information concerning the breach of the texas DPS site.( It would 
seem to me niether the DPS administrator nor the FBI fully understand 
the “complexity” of SQL injections.) After falling to get the printer 


Techniques 


Plumbing 


It is boring. 


You'll know it worked if 
nothing happens. 


Put it in place first. 


Paranoia doesn’t work 
retroactively 


momen, 01-47-87481 


06/03/2008 
cvepyaee cry 
—_ »* 


a * ae 
A - 


Personas 


Spiros: He knows my name, but my name is 
not my name. And you... to them you're 
only "The Greek." 

The Greek: And, of course, I'm not even Greek. 


Problem: 
You are you. 


Solution: 
Be someone else. 


Personas 


@ Danger to personas is contamination 


® Contact between personas (covers) 
contaminates both 


@ Keep cover identities isolated from each 
other 


Layered defense 


@ Fail safe technological solution 
@ TOR all the things! 
@ Back stop persona 
@ Primary cover alias as first identity 


@ Secondary cover aliases (eg. handles) 


Profiling data 


Pitfalls 


@ Location revealing information 
@ Weather 
e Time 
® Political events 


® Profiling data 


Practice 


Amateurs practice until they get it right, 


professionals practice until they can’t get it 
wrong 


Practice makes perfect 


Stringer: What you doing? 
Shamrock: Robert's Rules says we got to 
have minutes of the meeting. 
These the minutes. 
Stringer: Nigga, is you taking notes on a 
criminal fucking conspiracy? 


No logs. No crime. 


Staying Anonymous 


Personal info is profiling 
Talie 


Guidelines against 
profiling 


@ Do not include personal informations in 
your nick and screen name. 


® Do not discuss personal informations in the 
chat, where you are from... 


@ Do not mention your gender, tattoos, 
piercings or physical capacities. 


Guidelines, cont. 


@ Do not mention your profession, hobbies 
or involvement in activist groups 


@ Do not use special characters on your 
keyboard unique to your language 


® Do not post informations to the regular 
internet while you are anonymous in IRC. 


® Do not use Iwitter and Facebook 


Guidelines, cont. 


Do not post links to Facebook images. The 
image name contains a personal ID. 


Do not keep regular hours / habits (this can 
reveal your timezone, geographic locale) 


Do not discuss your environment, e.g. 
weather, political activities, 


Robert Morris Jr. 
was exploiting 
remote buffer 
overflows on an 
Internet wide scale 
in 1988 


His dad, Robert 
Morris Sr., was 

a chief research 
scientist for the 
NSA at the time 


Yes, I'm sure you 
and your efnet 
buddies are way 
ahead of the curve. 


Hackers are no longer 
the apex predator 


FAEEDOM.. 
“yiteeee 2 are no longer 


the apex predator 


That position has been 
ceded to LEO 


That position has been 
ceded to LEO" 


*Law Enforcement Officials ~ 


| 1s listening 
He wantstoknow | 
what you know | 


f-- | Iechnology 


VPNs vs. TOR 


@ VPNs provide privacy 
@ TOR provides anonymity 


® Confuse the two at your peril 


@ TOR connection to aVPN => OK 
@ VPN connection to TOR => GOTO JAIL 


On VPNs 


@ Only safe currency is Bitcoins 
@ because they come from nothing 


@ Purchase only over TOR 


@ http://torrentfreak.com/which-vpn- 
providers-really-take-anonymity- 
seriously-| | 1007/ 


dropped all my 31337 
#A Sec VY 


Tor Disabled 


Fail closed 


BusyBox v1.19.4 (2012-09-16 07:22:32 ICT) built-in shell (ash) 
Enter ‘help’ for a List of built-in commands. 


| IE Seer as oe nie ev. i 

| Bee rahe Aol ‘ae ue 

= ayy! a | x 
ver. 0.4.1 


-- No logs - No crime -- 


Entropy: 23/4096 


root@p@rtal: /# fj 


PORTAL 


PORTAL 


Personal Onion Router To Avoid LEO 


PORTAL 


® Router ensuring all traffic is transparently 
sent over TOR 


@ Reduce the ability to make mistakes 
@ Use mobile uplink 
® Mobility (go to a coffee shop) 


@ Reduce risk of wifi monitoring 


PORTAL 


® Uses tricks to get additional storage space 
on / 


Hardware 


@ TP-LINK AR7Ixx personal routers 
e MR-I1U 
e MR-3040 
e MR-3020 

WR-703N 


MR-3040 & MR-I1U 


@ Battery powered 
@ Approx. 4-5 hrs per charge 
@ USB for 3G modem 


http://torporfavor.org/ 
download/portal/ 


Conclusion 


TIL: You can be but you can't be a/|/RIP #lulz. RIP. 
famous. You can be | |famous criminal 
a criminal. 


STFU 


Questions? 


If you think, don’t speak 

If you speak, don’t write 

If you write, dont sign 

If you sign, don’t be surprised 


